Executive Summary
Summary | |
---|---|
Title | Skype does not properly filter input from external websites |
Informations | |||
---|---|---|---|
Name | VU#248184 | First vendor Publication | 2008-01-22 |
Vendor | VU-CERT | Last vendor Modification | 2008-01-22 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#248184Skype does not properly filter input from external websitesOverviewThe Skype client does not properly filter user-supplied input from websites that provide video content to Skype users.I. DescriptionSkype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X and Linux operating systems.Skype users can include videos from the Dailymotion and other websites in their mood panel. Videos from these websites are also available via the Skype video browser. Skype does not properly filter user-supplied input that is provided from these third-party websites. An attacker may be able to exploit this vulnerability by uploading a specially crafted movie file to a site that provides video content to Skype users.
Skype uses Internet Explorer web control to render HTML content. This is used also for providing "add video to mood" and "add video to chat" functionality. This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE. In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website. Discussion An attacker who constructs a Title of the video in a specific way can cause arbitrary code to be executed on targets PC. For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used. The proof of concept has been made public by Aviv Raff and Miroslav Lucinskij. II. ImpactA remote unauthenticated attacker may be able to execute arbitrary code.III. SolutionPer SKYPE-SB/2008-001, Skype has temporarily disabled the ability to add videos from the Dailymotion site until an official fix has been made available. Note that the Dailymotion website contained an XSS vulnerability that could be used as an attack vector, and blocking new videos from the Dailymotion website will not completely address this issue.Include Skype in the Local Machine Zone Lockdown
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_LocalMachine_Lockdown] "Skype.exe"=dword:00000001 Note that this workaround does not directly address the vulnerability, and may make cause some of Skype's features to fail or operate with limited functionality. Systems Affected
References
This vulnerability was disclosed by Miroslav Lucinskij. This document was written by Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/248184 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:26510 | |||
Oval ID: | oval:org.mitre.oval:def:26510 | ||
Title: | Cross-zone scripting vulnerability in the Internet Explorer web control | ||
Description: | Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the "Add video to chat" dialog, aka "videomood XSS." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-0454 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows 8.1 | Product(s): | Skype |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42864 | Skype Internet Explorer Web Control Video Gallery Metacafe Movie Title Cross-... |
42863 | Skype Internet Explorer Web Control Dailymotion Title Field Cross-zone Scripting |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-02-07 | Name : The remote Skype client is affected by a remote code execution issue through ... File : skype_2008_001.nasl - Type : ACT_GATHER_INFO |